Re: Let's get the ball rolling

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

Despite the traffic of the last few days, I'm hoping that the list focuses
on that "other stuff" as well. Most software development organizations have
not integrated security into their SDLC effectively. I'd be interested in
hearing how other organizations have dealt with this.  The SSE-CMM (I
chaired the group that authored it) focuses on systems engineering, not
software specifically. Software development organizations need specific
practices for sofware engineering.

I'm particularly interested in the most effective of these practices for
large-scale software organizations, in the "bang for the buck" sense.
Imagine you're a software development manager with a limited budget, and you
just realized that you need to start producing more secure software.  Do you
invest in training developers, better software security requirements,
configuration management, better documentation, designing and implementing
better security mechanisms, code review and penetration testing, or what?

Obviously, one major factor is where you are right now in the development
process, since you can't go back and train all the developers after the
system is already developed. But what is the calculus for what to do when?
And what measurements can you take to be sure that what you do makes good
risk management sense?

--Jeff

Jeff Williams
Aspect Security
http://www.aspectsecurity.com